Catalogs > Safety Products Catalog > Principles, Standards and Implementation > Structure of Safety Related Control Systems
Structure of Safety Related Control Systems
| Structure of Safety Related Control Systems |  |
Safety Function | |
Categories of Control Systems | |
Interlock Switch | |
Programmable Logic Controller | |
Undetected Faults | |
| Component and System Ratings | |
Fault Considerations and Exclusions | |
Systems Achieving Category 1 Stops | |
US Safety Control System Requirements | |
Robot Standards: US and Canada | |
The following discussion of categories is based on ISO 13849-1:1999, which is equivalent to EN 954-1:1996. In 2006, ISO 13849-1 was significantly revised to agree with IEC 62061 and IEC 61508, both of which can be used for highly complex safety systems. The 2006 version of ISO 13849-1 continues to utilize categories of safety performance; the categories are considered the structure or architecture of the SRCS. Additional information about the components and system design complement this structure to provide a performance level rating. The following category discussion applies to both the 1999 and 2006 revisions of ISO 13849-1.
The standard ISO 13849-1 safety-related parts of control systems, Part 1 General principles for design lays down a language of five categories for benchmarking and describing the performance of SRCSs. See Table 8 for a summary of these categories. The following notes apply to the table:
Note 1: Category B, in itself, has no special measures for safety but it forms the base for the other categories.
Note 2: Multiple faults, caused by a common cause or as inevitable consequences of the first fault, shall be counted as a single fault.
Note 3: The fault review may be limited to two faults in combination, if it can be justified but complex circuits (e.g. microprocessor circuits) may require more faults in combination to be considered.
So how do you decide which category you need? The risk assessment process should direct you to the proper category. In order to translate these requirements into a system design specification, there has to be an interpretation of the basic requirements.
It is a common misconception that Category 1 provides the least protection and Category 4 provides the most protection. This is not the reasoning behind the categories. They are intended as reference points that describe the functional performance of different methods of safety related control and the constituent parts.
Category 1 is aimed at the PREVENTION of faults. It is achieved through the use of suitable design principles, components, and materials. Simplicity of principle and design, together with stable and predictable material characteristics, are the key to this category.
Categories 2, 3, and 4 require that if faults cannot be prevented, they must be DETECTED and appropriate action taken.
Redundancy, diversity, and monitoring are key to these categories. Redundancy is the duplication of the same technique. Diversity is using two different techniques. Monitoring is checking the status of the devices and then taking appropriate action based on results of the status. The usual, but not the only method of monitoring is to duplicate the safety critical functions and compare operation.
| Summary of Requirements | System Behavior |
| Category B (see Note 1) Safety related parts of machine control systems and/or their protective equipment, as well as their components, shall be designed, constructed, selected, assembled and combined in accordance with relevant standards so that they can withstand the expected influence. Basic safety principles shall be applied. |
When a fault occurs, it can lead to a loss of the safety function |
| CATEGORY 1 The requirements of category B apply together with the use of well tried safety components and safety principles. |
As described for category B but with higher safety related reliability of the safety related function. (The higher the reliability, the less the likelihood of a fault). |
| CATEGORY 2 The requirements of category B and the use of well tried safety principles apply. The safety function(s) shall be checked at machine start-up and periodically by the machine control system. If a fault is detected a safe state shall be initiated or if this is not possible a warning shall be given. |
The loss of safety function is detected by the check. The occurrence of a fault can lead to the loss of safety function between the checking intervals. |
| CATEGORY 3 (see Notes 2 & 3) The requirements of category B and the use of well tried safety principles apply. The system shall be designed so that a single fault in any of its parts does not lead to the loss of safety function. Where practicable, a single fault shall be detected. |
When the single fault occurs the safety function is always performed. Some but not all faults will be detected. An accumulation of undetected faults can lead to the loss of safety function. |
| Category 4 (see Notes 2 & 3) The requirements of category B and the use of well tried safety principles apply. The system shall be designed so that a single fault in any of its parts does not lead to the loss of safety function. The single fault is detected at or before the next demand on the safety function. If this detection is not possible then an accumulation of faults shall not lead to a loss of safety function. |
When the faults occur, the safety function is always performed. The faults will be detected in time to prevent the loss of safety functions. |
| Table 8: Categories of Safety Performance | |
Category B
Category B provides basic requirements of any control system; whether it is a safety related or non-safety related control system. A control system must work in its expected environment. The concept of reliability provides a foundation for control systems, as reliability is defined as the probability that a device will perform its intended function for a specified interval under expected conditions.
Although we have a system that meets our reliability goals, we know the system will fail eventually. The safety system designer needs to know whether the system will fail to danger or whether it will fail to a safe state. The mantra is, “How does the system perform in the presence of faults?”
Starting with this concept, what principles should be followed to guide the system design? Cat B requires the application of basic safety principles. ISO 13849-2 tells us the basic safety principles for electrical, pneumatic, hydraulic, and mechanical systems. The electrical principles are summarized as follows:
- Proper selection, combination, arrangements, assembly and installation (i.e., per mfg’rs instructions)
- Compatibility of components with voltages and currents
- Withstand environmental conditions
- Use of de-energization principle
- Transient suppression
- Reduction of response time
- Protection against unexpected start-up
- Secure fixing of input devices (e.g. mounting of interlocks)
- Protection of control circuit (per NFPA79 & IEC60204-1)
- Correct protective bonding
Figure 120 shows an example of a Category B system. The guard is interlocked with a negative-mode (spring driven) limit switch. Short circuit and overload protection is provided to meet the electrical standard requirements for protection of the control circuit. Transient suppression is used to help prevent contact welding when the contactor coil is de-energized. The de-energization principle is used: the guard interlock turns the motor off. The components must be selected and installed to meet the foreseeable environment conditions and current/voltage requirements. Note that no special measures for safety are applied under Category B. Therefore, additional measures may be required.
Press the start button with the guard closed to energize the motor, which symbolizes the hazard. When the K1 contactor closes, an auxiliary contact maintains the circuit and the start button can be released. Press the stop button or open the guard to turn the motor off. Releasing the stop button or closing the guard does not cause the motor to restart.
|
| Figure 120: Simple Category B System |
Figure 121 shows a complex system that meets Category B. Here, multiple sensing devices (limit switches) and push buttons are connected to the input module of a programmable logic controller (PLC). Multiple actuators are connected to the output module. A software-controlled logic module determines which outputs to turn on or off in response to the state of the sensing devices.
|
| Figure 121: A Complex Category B System |
How do we know these circuits meet Category B?
First, the designer must select, install, and assemble the devices according to the instructions provided by the manufacturer. These devices must work within the expected voltage and current ratings. The expected environmental conditions, like electromagnetic compatibility, vibration, shock, contamination, and washdown must also be considered. The de-energization principle is used. Transient protection is installed across the contactor coils, The motor is protected against overloads. All wiring and grounding meets appropriate electrical standards.
The next step in the safety analysis is to separate the system into its major components and consider their modes of potential failure. Previously we looked at the system as three blocks. When considering safety system performance, the wiring must also be included in the analysis. Figure 122 shows the safety system block diagram.
|
| Figure 122: Safety System Block Diagram |
In the Category B examples, the components are:
- Interlock (Limit) switch
- Programmable logic controller
- Contactor
- Wiring